faa aircraft systems federal aviation information security ...cybernautics.aero/images/pdf/faa...

Federal Aviation Administration

FAA Aircraft Systems Information Security Protection (ASISP) Overview, Paper #132

Presented to: Integrated Communications, Navigation and Surveillance (ICNS) Conference

Presented by:

Peter Skaves, FAA CSTA for Advanced Avionics

Date: April 21, 2015


Aviation Safety

Many thanks for the help, support, and slide material from:

Brian Verna, AFS-360 Steve Paasch, AIR-134 Varun Khanna, ANM-111

2


Aviation Safety

ASISP Topics A rose by any other name... Background e-Enabled Aircraft Potential Risks AVS Security Scope U.S. Government Services Non-Government Services Regulations, Policy, Standards and Guidance Future Direction of ASISP ARP 4754A

3


Aviation Safety

A rose by any other name... We’ve used several terms for security

from electronic attacks on networks and systems: network security, information security, systems security, and cyber security These terms are often used

interchangeably, which may cause confusion as to their intended meaning

4


Aviation Safety

A rose by any other name... We are now trying to standardize on

the term Aircraft Systems Information Security Protection (ASISP)… ●…to indicate security from electronic attacks

on aircraft networks and systems We’re talking here only about aircraft:

not air traffic services and providers ●U.S. governmental services have their own

programs for information security

5


Aviation Safety

Background Prior to the availability of e-Enabled

technologies, legacy aircraft have used architectures with limited wired or wireless connectivity to non-governmental service providers

This is rapidly changing as aircraft are incorporating Wi-Fi, Electronic Flight Bags, wireless Field Loadable Software, real-time aircraft health monitoring and reporting, and Passenger Information and Entertainment Systems

6


Aviation Safety

Background Aircraft operators and manufacturers

have identified potential economic and safety benefits using e-Enabled technology and software applications e-Enabled applications will mean

increased aircraft connectivity to non-governmental service providers

7


Aviation Safety

Background Aircraft operators have the option to include

a wireless network on e-Enabled aircraft to: ● Remotely upload software parts, aeronautical charts,

airplane flight manuals, electronic checklists, performance information, flight plan information etc., to aircraft systems located anywhere in the world

● Continuously monitor health information from aircraft systems and record data to an onboard maintenance computer and send information to airlines in real-time

8


Aviation Safety 9 9

e-Enabled Aircraft, Domains and Connectivity

Today’s Aircraft Systems connectivity – grouped into domains

CNS/ATM Network

En Route

Terminal Command Center Tower

External Networks

Internet

Con

trol

s

1

3

3

1

2

3

A/C External threat A/C Internal threat

CNS/ATM connectivity

2

Air Traffic Services Non-Government Services


Aviation Safety 10


Aviation Safety

Potential Risks Examples of potential ASISP risks:

● Erroneous maintenance messages ● Corrupted software loads to aircraft

systems ● Malware to infect an aircraft system ● An attacker to use onboard wireless to

access aircraft system interfaces

11


Aviation Safety

Potential Risks Examples of potential ASISP risks:

● Denial of service of wireless interfaces ● Misuse of personal devices that access

aircraft systems ● Misuse of off-board network

connections to access aircraft system interfaces

● Denial of service of safety critical systems

12


Aviation Safety 13


Aviation Safety

AVS Security Scope Recent designs for aircraft systems include

connectivity to non-governmental services such as the internet, portable electronic devices, and commercial-off-the-shelf technologies that have not been certified and accredited for secure operations by a government authority ● These designs can introduce ASISP vulnerabilities

beyond the scope of current airworthiness regulations and traditional systems safety assessment methods typically used to show compliance with the airworthiness requirements located in Title 14 CFR

14


Aviation Safety

AVS Security Scope e-Enabled technologies should be

evaluated to ensure that the security controls are as good as, or better than, the aircraft networks, systems, and procedures that they are replacing

15


Aviation Safety

U.S. Government Services U.S. governmental Air Traffic Services

●Have been certified and accredited in accordance with the Federal Information Security Management Act (FISMA), FAA Order 1370.82A Information Systems Security Program and the FAA Information Systems Authorization Handbook

● For purposes of ASISP, we consider U.S. government Air Traffic Services to be secure

16


Aviation Safety

U.S. Government Services Examples of government services:

●Global Navigation Satellite Systems (GNSS) ● Automatic Dependent Surveillance –

Broadcast (ADS-B) ●Ground Based Navigation Aids ● Instrument Landing Systems (ILS) ● Air Traffic Data and Voice Communications

17


Aviation Safety

Non-Government Services Examples of non-government service

providers ● Airline Networks (Airline Operations Centers) ● Airport Networks (e.g., GATELINK) ● Public Networks (e.g., Internet) ● Data Loaders (e.g., FLS and Databases) ● Wireless Aircraft Sensors and Sensor Networks ● Ground Support Equipment ● Universal Serial Bus (USB) devices ● Portable Electronic Flight Bags ● Cellular Networks

18


Aviation Safety

Regulations, Policy, Standards, and Guidance Regulations

● The following regulations do not specifically address security requirements for aircraft networks and systems o § xx.1301 Function and Installation o § xx.1309 Equipment, Systems, and Installation

● EASA published a pre-Regulatory Impact Assessment (RIA); FAA commented; EASA reaction was positive oWe have an approved Aviation Rulemaking

Advisory Committee which will convene during March 2015

19


Aviation Safety

Aviation Rulemaking Advisory Committee ARAC

● As a result of the December 18, 2014 ARAC meeting, the FAA assigned the ARAC a new task to provide recommendations regarding ASISP rulemaking, policy and guidance on best practices for aircraft systems including both certification and continued airworthiness.

● This new ARAC activity is soliciting membership for the new ASISP working group.

20


Aviation Safety

Regulations, Policy, Standards and Guidance

Policy ●The FAA issued a Policy Statement for

ASISP: o PS-AIR-21.16-02, Establishment of

Special Conditions for Cyber Security, March 6, 2014

21


Aviation Safety


Policy ● PS-AIR-21.16-02 quote:

o“The Federal Aviation Administration (FAA) will issue special conditions for initial type certificate (TC), supplemental type certificate (STC), amended TC, or amended STC applications for aircraft systems that directly connect to external services and networks under………

22


Aviation Safety


Policy ● PS-AIR-21.16-02 quote:

o………the following conditions: 1. The external service or network is

non-governmental; 2. The aircraft system receives

information from the non-governmental service or network; and,

3. The failure effect classification of the aircraft system is “major” or higher”.

23


Aviation Safety

Regulations, Policy, Standards and Guidance Policy

● PS-AIR-21.16-02 oDoes not require the issuance of special

conditions for airworthiness and operational approval of field loadable software (FLS), aeronautical data bases, and the Aircraft Communications Addressing and Reporting System (ACARS); other policies, standards, and guidance apply

24


Aviation Safety


Policy ● We’re focusing in, for the most part, on

connectivity to the outside

25


Aviation Safety


Standards and Guidance ● There are many information processing

standards and guidance that might be able to be used in the ASISP context oFederal Information Processing Standards

(FIPS) oNational Institute of Standards and

Technology (NIST) oInternational Standards Organization

(ISO)

26


Aviation Safety

Regulations, Policy, Standards and Guidance Standards and Guidance

● There are industry activities such as: o ARINC 811 Commercial Aircraft Information Security

Concept of Operation and Process ARINC 822 Aircraft/Ground IP Communication

(GATELINK822) ARINC 834-2 Aircraft Data Interface Function (ADF) for

Aircraft Interface Device ARINC 835 Guidance for Field Loadable Software

Using Digital Signatures ARINC 842 Guidance for Using Digital Certificates ARINC Network Infrastructure and Security (NIS)

Subcommittee (drafts/reports) ARINC AGIE/MAGIC Subcommittee (drafts/reports)

27


Aviation Safety


● There are industry activities such as: oA4A (formerly ATA) Spec 42 Aviation Industry

Standards for Digital Information Security

28


Aviation Safety

Regulations, Policy, Standards and Guidance Standards and Guidance ●RTCA SC-216 produced the following

standard: oDO-355 Information Security

Guidance for Continuing Airworthiness oAFS-300 plans to invoke the

guidance in DO-355

29


Aviation Safety


● RTCA SC-216 also produced the following standard: oDO-326A Airworthiness Security Process

Specification Contains guidance for Aircraft Certification to

address information security threats to aircraft safety Applies only to part 25, Transport Category

Airplanes, with a passenger seating configuration of more than 19 seats Invocation likely limited to part 25 Special

Conditions in the near future

30


Aviation Safety


● RTCA SC-216 also produced the following standard: oDO-356 Airworthiness Security Methods and

Considerations A methods companion doc to DO-326A As with DO-326A, applies only to part 25,

Transport Category Airplanes, with a passenger seating configuration of more than 19 seats Invocation also likely limited to part 25 Special

Conditions

31


Aviation Safety

Future Direction for ASISP AVS Strategic ASISP Plan (AKA 5 Year Plan)

Current Draft ● Obtain recommendations for rulemaking and best

practices for FAR Part 23, 25, 27, 29, including Instructions for continued airworthiness oGAMA has established an AD-HOC working

group to develop industry recommended best practices for general aviation

oAlso need to obtain recommendations on the use of existing industry standards

32


Aviation Safety

Future Direction for ASISP AVS Strategic ASISP Plan Current Draft

● Obtain recommendations for rulemaking and recommended best practices for FAR Parts 23, 25, 27, 29, including Instructions for Continued Airworthiness oFor example, possibly on best practices for

wireless Field Loadable Software (FLS) security, automatic fault logging and reporting for ASISP, and EFB / iPADS security considerations

33


Aviation Safety


● Obtain recommendations for rulemaking and recommended best practices for FAR Part 23, 25, 27, 29, including Instructions for Continued Airworthiness o Instructions for Continued Airworthiness (ICA) for

Transport Category Airplanes

34


Aviation Safety


● Update Policy Statement PS-AIR-21.16-02, Establishment of Special Conditions for Cyber-Security per accepted recommendations

● Revise Special Conditions and Companion Issue Papers per recommendations

● Define RTCA Documents Applicability for ASISP ● Support RTCA follow-on activities for ASISP ● Develop and publish Designee Management

guidance and criteria for ASISP

35


Aviation Safety


● Support Research and Development for ASISP

●Develop and publish training materials for ASISP

36


Aviation Safety

Future Direction for ASISP Deciding ASISP placement in the

development of aircraft systems requirements ● A separate process on it’s own, so to speak? ●Or not separate: part of the processes in

Society of Automotive Engineers (SAE) Aerospace Recommended Practice (ARP) 4754A, Certification Considerations for Highly Integrated or Complex Aircraft Systems?

37


Aviation Safety

ARP 4754A Describes the Aircraft Systems Engineering

Process ●Requirements Capture ● Allocation of Requirements ● Architectural Considerations ● Software Design Assurance Level

Determination ●Hardware Level Assurance Level

Determination ● Integration

38


Aviation Safety

ARP 4754A Describes the Aircraft Systems Engineering

Process ● Safety Assessment Process (high level)

oFunctional Hazard Assessment (FHA) oPreliminary System Safety Assessment oSystem Safety Assessment, etc. (e.g.,

CCA) ●Requirements Validation ● System Verification

39


Aviation Safety 40 40

ARP 4754A

Intended Aircraft

Function

System Design

Information

Functional System

Function, Failure& SafetyInformation

Aircraft & System Development Processes

(ARP 4754 / ED-79)

Electronic Hardware Development Life-Cycle

(DO-254 / ED-80)

Safety Assessment of Aircraft in Commercial Service (ARP 5150 / 5151)

Operation

Guidelines for Integrated Modular Avionics (DO-297/ED-124)

Development Phase In-Service/Operational Phase

Software Development Life-Cycle

(DO-178B/ED-12B)

Safety Assessment Process

Guidelines & Methods(ARP 4761)


Aviation Safety

Discussion, Questions, Wrap-up

? Contact information: Peter Skaves, FAA Chief Scientific and Technical Advisor for Advanced Avionics [email protected] (425) 802 0395

41